For the second year running, security researcher Kurt Grutzmacher has found a way to get a free "Platinum" pass to the Macworld Conference, being held in San Francisco this week.
Thanks to a design flaw in the conference's site, he was able to figure out the special promotional code and award himself a 100 per cent discount when purchasing the show's most expensive pass.
The problem was that the site was downloading an encrypted version of the promotional codes to the browser so that it could check for discounts before passing data to the event's server. Site developers may have done this to reduce the time it takes to process conference applications, but in doing so they introduced a serious security vulnerability, Grutzmacher said.
Although the promotional codes were encrypted, Grutzmacher used a password-cracking tool called John the Ripper to break the encryption and see the discount codes. "I was very surprised it worked," he said in an email interview.
That's because it was the same technique that yielded a Platinum pass for the 2007 show. At that time, the show's promoter, IDG World Expo, "removed all the codes, fixed the site, and said thanks," Grutzmacher said in a Monday blog posting showing how he cracked the site. "I gave them a few tips (don't trust user input, don't give your secret codes to everyone, encryption is not one-way, etc). Did they listen? Nope."
Grutzmacher ran his test in the weeks prior to the show, and the code he obtained stopped working on 7 January, he said. Show representatives were not immediately available to comment.
The security penetration tester went down to San Francisco's Moscone Center on Monday to print up his pass, just to see if his trick worked, but he didn't actually use it to visit the show. "That would be very unethical," he said.
Had he made use of the $1,895 pass, however, Grutzmacher could have had a free lunch, access to sessions at the conference, entry into the Macworld party and priority access to Steve Jobs' keynote on Tuesday.
"Justin," a commentator on Grutzmacher's blog, said he reported a similar bug to IDG in 2003. Grutzmacher said that this is probably not the last we'll hear of this problem. "I suspect we'll see this again in 2009," he said.